registry  /  @auth-craft/aws-cf-stack  /  1.8.0

@auth-craft/aws-cf-stack@1.8.0

Self-contained, versioned distribution of the Auth Craft AWS (DynamoDB + Lambda) + Cloudflare gateway stack. Bundles prebuilt Lambda/worker artifacts + CDK app so consumers deploy without cloning auth-craft.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 7 file(s), 2.40 MB of source, external domains: 169.254.170.2, a.co, accounts.google.com, api.nodemailer.com, aws.amazon.com, docs.aws.amazon.com, dynamodb.amazonaws.com, ethereal.email, github.com, mail.google.com, nodemailer.com, portal.sso, portal.sso-fips, sts.amazonaws.com, www.postgresql.org

Source & flagged code

13 flagged · loading source
cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjsView file
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----END...$&\r
Critical
Critical Secret

Package contains a critical-looking secret pattern.

cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjsView on unpkg · L5
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----END...$&\r
Critical
Secret Pattern

RSA private key in cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs

cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjsView on unpkg · L5
129patternName = private_key_rsa severity = critical line = 129 matchedText = `}};var ...----
Critical
Secret Pattern

RSA private key in cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs

cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjsView on unpkg · L129
49`).pop()))return;(this.options.debug||this.options.transactionLog)&&this.logger.debug({tnx:"server"},e.replace(/\r?\n$/,"")),e.trim()||setImmediate(()=>this._processResponse());let... L50: `,"utf-8"))}}_setEnvelope(e,r){let n=[],i=!1;if(this._envelope=e||{},this._envelope.from=(this._envelope.from&&this._envelope.from.address||this._envelope.from||"").toString().trim... L51: `].includes((e.newline||"").toString().toLowerCase())}send(e,r){e.message.keepBcc=!0;let n=e.data.envelope||e.message.getEnvelope(),i=e.message.messageId(),s=[].concat(n.to||[]);s....
High
Child Process

Package source references child process execution.

cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjsView on unpkg · L49
49`).pop()))return;(this.options.debug||this.options.transactionLog)&&this.logger.debug({tnx:"server"},e.replace(/\r?\n$/,"")),e.trim()||setImmediate(()=>this._processResponse());let... L50: `,"utf-8"))}}_setEnvelope(e,r){let n=[],i=!1;if(this._envelope=e||{},this._envelope.from=(this._envelope.from&&this._envelope.from.address||this._envelope.from||"").toString().trim... L51: `].includes((e.newline||"").toString().toLowerCase())}send(e,r){e.message.keepBcc=!0;let n=e.data.envelope||e.message.getEnvelope(),i=e.message.messageId(),s=[].concat(n.to||[]);s.... ... L54: \r L55: Invalid`)}},FromEmailAddress:"invalid@invalid",Destination:{ToAddresses:["invalid@invalid"]}};return this.getRegion((s,o)=>{(s||!o)&&(o="us-east-1");let a=new this.ses.SendEmailCom... L56: `);i.push("Roles: \u2713 OK")}if(r.allowOwner){let E=n?.ownerId!==void 0&&n.ownerId===e.id;if(i.push(`Owner bypass: resource.ownerId=${n?.ownerId??"undefined"}, user.id=${e.id}`),E...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

cdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjsView on unpkg · L49
assets/admin/cli.mjsView file
71patternName = private_key_rsa severity = critical line = 71 matchedText = -----END...in(`
Critical
Secret Pattern

RSA private key in assets/admin/cli.mjs

assets/admin/cli.mjsView on unpkg · L71
187patternName = private_key_rsa severity = critical line = 187 matchedText = RETURNIN...----
Critical
Secret Pattern

RSA private key in assets/admin/cli.mjs

assets/admin/cli.mjsView on unpkg · L187
2import{createRequire}from'module';const require=createRequire(import.meta.url); L3: var Nj=Object.create;var _m=Object.defineProperty;var Dj=Object.getOwnPropertyDescriptor;var vj=Object.getOwnPropertyNames;var Rj=Object.getPrototypeOf,Pj=Object.prototype.hasOwnPr... L4: In the next major version (pg-connection-string v3.0.0 and pg v9.0.0), these modes will adopt standard libpq semantics, which have weaker security guarantees. ... L9: L10: See https://www.postgresql.org/docs/current/libpq-ssl.html for libpq SSL mode definitions.`))}DP.exports=iu;iu.parse=iu;iu.toClientConfig=NP;iu.parseIntoClientConfig=j9});var bT=ee... L11: `);ed.write(nO.format.apply(nO,e))}}Object.defineProperty(Js.exports,"isWin",{get:function(){return ch},set:function(t){ch=t}});Js.exports.warnTo=function(t){var e=ed;return ed=t,e... ... L21: `),gu={warn:console.warn}});function _i(t){let e=t.getUTCFullYear(),r=t.getUTCMonth(),n=t.getUTCDay(),i=t.getUTCDate(),s=t.getUTCHours(),o=t.getUTCMinutes(),a=t.getUTCSeconds(),c=i... L22: `+a}catch{!n.logger||n.logger?.constructor?.name==="NoOpLogger"?console.warn(a):n.logger?.warn?.(a)}typeof o.$responseBodyText<"u"&&o.$response&&(o.$response.body=o.$responseBodyTe
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

assets/admin/cli.mjsView on unpkg · L2
2import{createRequire}from'module';const require=createRequire(import.meta.url); L3: var Nj=Object.create;var _m=Object.defineProperty;var Dj=Object.getOwnPropertyDescriptor;var vj=Object.getOwnPropertyNames;var Rj=Object.getPrototypeOf,Pj=Object.prototype.hasOwnPr... L4: In the next major version (pg-connection-string v3.0.0 and pg v9.0.0), these modes will adopt standard libpq semantics, which have weaker security guarantees. ... L9: L10: See https://www.postgresql.org/docs/current/libpq-ssl.html for libpq SSL mode definitions.`))}DP.exports=iu;iu.parse=iu;iu.toClientConfig=NP;iu.parseIntoClientConfig=j9});var bT=ee... L11: `);ed.write(nO.format.apply(nO,e))}}Object.defineProperty(Js.exports,"isWin",{get:function(){return ch},set:function(t){ch=t}});Js.exports.warnTo=function(t){var e=ed;return ed=t,e... ... L21: `),gu={warn:console.warn}});function _i(t){let e=t.getUTCFullYear(),r=t.getUTCMonth(),n=t.getUTCDay(),i=t.getUTCDate(),s=t.getUTCHours(),o=t.getUTCMinutes(),a=t.getUTCSeconds(),c=i... L22: `+a}catch{!n.logger||n.logger?.constructor?.name==="NoOpLogger"?console.warn(a):n.logger?.warn?.(a)}typeof o.$responseBodyText<"u"&&o.$response&&(o.$response.body=o.$responseBodyTe
Low
Weak Crypto

Package source references weak cryptographic algorithms.

assets/admin/cli.mjsView on unpkg · L2
bin/deploy.shView file
path = bin/deploy.sh kind = build_helper sizeBytes = 7881 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/deploy.shView on unpkg
lib/create-admin.shView file
11patternName = generic_password severity = medium line = 11 matchedText = local pa...:-}"
Medium
Secret Pattern

Hardcoded password in lib/create-admin.sh

lib/create-admin.shView on unpkg · L11
assets/lambda/index.mjsView file
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----END...$&\r
Critical
Secret Pattern

RSA private key in assets/lambda/index.mjs

assets/lambda/index.mjsView on unpkg · L5
129patternName = private_key_rsa severity = critical line = 129 matchedText = `}};var ...----
Critical
Secret Pattern

RSA private key in assets/lambda/index.mjs

assets/lambda/index.mjsView on unpkg · L129

Findings

7 Critical4 High6 Medium6 Low
CriticalCritical Secretcdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs
CriticalSecret Patterncdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs
CriticalSecret Patterncdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs
CriticalSecret Patternassets/admin/cli.mjs
CriticalSecret Patternassets/admin/cli.mjs
CriticalSecret Patternassets/lambda/index.mjs
CriticalSecret Patternassets/lambda/index.mjs
HighChild Processcdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs
HighSame File Env Network Executioncdk/cdk.out/asset.530567cf1e6fd5236cd0e483ba02427949a4a68b619db930921f8d3ba9f03689/index.mjs
HighCloud Metadata Accessassets/admin/cli.mjs
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperbin/deploy.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/create-admin.sh
LowScripts Present
LowWeak Cryptoassets/admin/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License